Georgi Guninski security advisory #4, 2000 IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents. Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.01 under Windows 95 and 5.5 under WinNT 4.0 (suppose other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of "old" documents using

and a design flaw in IE. This exposes the whole DOM of the target document and opens lots of security risks. This allows reading local files, reading files from any host, window spoofing, getting cookies, etc. Details: This is a strange exploit. If you open a new document in a window that contains an old document, the old document's DOM may be accessed by the new document until the new document is completely parsed and displayed. Looks like IE keeps the old document until the new document is finally parsed and displayed. If you put a

in the new document, it has access to the old document's DOM. Examine the source code for more info: The code is: -----------------img2main.html--------------------------------------- link --------------------------------------------------------------------- ----------------img2.html--------------------------------------------

--------------------------------------------------------------------- Demonstration is available at: http://www.nat.bg/~joro/img2main.html Workaround: Disable Active Scripting Regards, Georgi Guninski http://www.nat.bg/~joro